Web application abuses : FreePBX 2.9.0 - 2.10.0 Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.902823

Categoría: Web application abuses

Título: FreePBX 2.9.0 - 2.10.0 Multiple Vulnerabilities - Active Check

Resumen: FreePBX is prone to multiple cross-site scripting (XSS) and; remote command execution (RCE) vulnerabilities.

Descripción: Summary:
FreePBX is prone to multiple cross-site scripting (XSS) and
remote command execution (RCE) vulnerabilities.

Vulnerability Insight:
Multiple flaws are caused by an,

- Improper validation of user-supplied input by multiple scripts, which allows attacker to
execute arbitrary HTML and script code on the user's browser session in the security context of
an affected site.

- Input passed to the 'callmenum' parameter in recordings/misc/callme_page.php (when 'action' is
set to 'c') is not properly verified before being used. This can be exploited to inject and
execute arbitrary shell commands.

Vulnerability Impact:
Successful exploitation may allow remote attackers to steal
cookie-based authentication credentials or execute arbitrary commands within the context of the
affected application.

Affected Software/OS:
FreePBX versions 2.9.0 and 2.10.0.

Solution:
Apply the patch from the referenced advisory.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-4869
BugTraq ID: 52630
http://www.securityfocus.com/bid/52630
http://www.exploit-db.com/exploits/18649
http://www.exploit-db.com/exploits/18659
http://seclists.org/fulldisclosure/2012/Mar/234
http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.html
http://secunia.com/advisories/48463
XForce ISS Database: freepbx-callmepage-command-exec(74174)
https://exchange.xforce.ibmcloud.com/vulnerabilities/74174
Common Vulnerability Exposure (CVE) ID: CVE-2012-4870
http://secunia.com/advisories/48475
XForce ISS Database: freepbx-multiple-xss(74173)
https://exchange.xforce.ibmcloud.com/vulnerabilities/74173

Copyright Copyright (C) 2012 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.902823
Categoría:	Web application abuses
Título:	FreePBX 2.9.0 - 2.10.0 Multiple Vulnerabilities - Active Check
Resumen:	FreePBX is prone to multiple cross-site scripting (XSS) and; remote command execution (RCE) vulnerabilities.
Descripción:	Summary: FreePBX is prone to multiple cross-site scripting (XSS) and remote command execution (RCE) vulnerabilities. Vulnerability Insight: Multiple flaws are caused by an, - Improper validation of user-supplied input by multiple scripts, which allows attacker to execute arbitrary HTML and script code on the user's browser session in the security context of an affected site. - Input passed to the 'callmenum' parameter in recordings/misc/callme_page.php (when 'action' is set to 'c') is not properly verified before being used. This can be exploited to inject and execute arbitrary shell commands. Vulnerability Impact: Successful exploitation may allow remote attackers to steal cookie-based authentication credentials or execute arbitrary commands within the context of the affected application. Affected Software/OS: FreePBX versions 2.9.0 and 2.10.0. Solution: Apply the patch from the referenced advisory. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4869 BugTraq ID: 52630 http://www.securityfocus.com/bid/52630 http://www.exploit-db.com/exploits/18649 http://www.exploit-db.com/exploits/18659 http://seclists.org/fulldisclosure/2012/Mar/234 http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.html http://secunia.com/advisories/48463 XForce ISS Database: freepbx-callmepage-command-exec(74174) https://exchange.xforce.ibmcloud.com/vulnerabilities/74174 Common Vulnerability Exposure (CVE) ID: CVE-2012-4870 http://secunia.com/advisories/48475 XForce ISS Database: freepbx-multiple-xss(74173) https://exchange.xforce.ibmcloud.com/vulnerabilities/74173
Copyright	Copyright (C) 2012 Greenbone AG